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Encryption  Schemes  for  Computer  Confidentiality 


I.  lntroductTw 


With  the  ever-increasing  amount  of  data1 


computers,  the 


need  for  security  in  transmission  and  storage  becomes  greaCe^SSWS^ 
greater  [2].  We  here  consider  some  new  stream  enciphering  schemes 
based  on  J-K  flip-flops.  The  data  is  considered  to  be  a stream  of 
binary  bits.  There  are  two  main  types  of  encipherment  schemes;  one  is 
a block  scheme  which  divides  the  data  into  blocks  and  then  enciphers 
and  deciphers  a block  at  a time,  the  other  is  a stream  scheme  which 
enciphers  and  deciphers  bit  by  bit.  The  stream  enciphering  scheme  has 
the  advantage  that  both  the  enciphering  and  the  deciphering  occur  in 
real  time.  Since  the  aim  of  this  paper  is  to  present  some  new  stream 
enciphering  schemes,  we  shall  describe  briefly  a general  stream 
enciphering  scheme. 


If  we  let  X denote  the  data  set,  i.e.  X = (x 5 , x2,  ...,)  and  K 
denote  a key  which  is  a determined  set  of  bits,  K = (k,,  k2, ...),  then 
the  enciphered  message  Y = (y,,  y2, ...)  is  equal  to  X + K = (X!  + klf 
x2  ♦ k2,  ...)  where  x,  + k,  is  computed  mod  2.  Deciphering  is  very 
simply  accomplished  by  adding  the  key  K to  the  enciphered  message  Y 
obtaining  X as  Y + X.  So  we  see  that  the  important  item  in  an 
enciphering  scheme  is  the  key  K.  It  is  assumed  that  an  unauthorized 
person  knows  Y and  a portion  of  clear  text  (that  is  a number  of  bits  of 
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X)  and  so  can  determine  the  same  number  of  bits  of  K.  The  problem  is  to 
prevent  the  unauthorized  user  from  being  able  to  determine  all  of  K 
(hence  all  of  X). 

Clearly  this  cannot  happen  when  X is  a random  sequence  of  bits.  Such 
a key,  however,  has  the  disadvantage  that  it  can  only  be  used  once.  To 
overcome  this  disadvantage  and  preserve  the  features  of  randomness, 
people  have  generated  pseudo-random  sequences  or  sequences  of  very  long 
period.  It  is  possible  to  generate  a sequence  of  period  (2r  -1)  with 
au*^^4^elinear  shift  register  [3].  Hence  the  particular  shift 
register  plus  an  T^i|i|^^^ng  vector  which  is  placed  In  the  shift 
register  at  the  start  forms  the  keT^H^is  particular  case.  However, 
as  was  shown  in  [5),  the  linearity  of  the  systeEr^^Sfc^jj^ne  to  solve 
for  both  the  shift  register  and  the  initializing  vectors  with 
bits  of  clear  text.  For  a general  introduction  to  cryptography  see 


PAGE  3 


II.  Non-Linear  Schemes  Using  J-K  Flip-Flops 

The  enciphering  schemes  we  propose  below  preserve  the  pseudo- 
randomness  properties  of  the  shift  register  while  removing  the  weakness 
due  to  linearity.  This  is  accomplished  by  combining  shift  registers 
with  J-K  flip-flops.  So  we  will  first  define  a linear  n-stage  shift 
register  with  feed-back. 


The  figure  above  is  a diagram  of  an  n-stage  linear  shift  register 
with  feedback,  for  bre^it”  we  will  Just  call  this  a shift  register  for 
the  rest  of  this  paper.  Each  of  the  squares  labelled  x,,  x2,  . ..,  x„ 
contains  either  a 0 or  a 1. 

At  periodic  intervals,  the  contents  of  xjf  i > l,  are  transferred 

r -/ 

into  Xj_,  and  the  contents  of  x,  go  out.  The  new  content  of  xn  * £ CjX, 

• v i 

where  the  c,  are  all  specified,  each  is  0 or  1,  and  the  addition  is 
modulo  2.  The  word  linear  comes  from  this  expression.  If  an 
initializing  vector  of  n 0’s  and  l's  is  put  into  positions  x,,  ...,  x„, 


then  the  shift  register  generates  a sequence  of  0's  and  l’s.  The 
congest  period  of  this  sequence  is  called  the  period  of  the  shift 
register.  It  is  not  hard  to  show  [3]  that  the  longest  oeriod  which  an 
r-stage  shift  register  can  achieve  is  (2r  -1).  Further,  if  the 
characteristic  polynomial  (which  determines  the  c,)  of  the  r-stage 
shift  register  divides  (x<2  *n  -1)  over  GF(2),  but  no  (x*  -1)  foi  s < 

(2r  -1),  then  its  shift  register  has  period  (2r  -1).  These  sequences 

I 

of  length  (2r  -1)  are  called  maximum-length  shift  register  sequences. 

Even  though  no  finite  sequence  is  truly  random,  certain  properties  are 
associated  with  random  sequences.  In  [3]  it  is  shown  that  maximal 
length  shift  register  sequences  satisfy  three  natural  randomness 
properties.  In  our  encycling  schemes  we  will  be  using  maximum  length 
shift  sgister  sequences  of  large  period. 


Another  device  we  must  explain  is  a J-K  flip-flop.  This  is  a 2 
input,  2 output  (where  one  output  is  the  complement  of  the  other) 
device  which  operates  according  to  the  following  rules.  We  consider  an 
ordered  pair  to  represent  the  inputs  (j,k).  An  input  (0,0)  leaves  the 
output  unchanged,  a (1,1)  input  changes  the  output,  a (0,1)  input 
produces  a 0 output,  and  a (1,0)  input  produces  a 1 output.  An 
important  fact  for  the  successful  operation  of  the  encryption  schemes 
proposal  is  given  as  follows.  Let  KN  denote  the  Nth  output  and  (j,k) 
denote  the  Nth  in^ut.  Then 


(*)  ^n.i  = (j  ♦ k + DFn  ♦ j. 
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This  can  be  demonstrated  by  direct  computation  [7). 

Hence  two  consecutive  outputs  are  needed  to  compute  one  of  1 or  k, 
which  one  cannot  be  specified,  but  if  two  consecutive  outputs  are 
known,  one  of  these  is  known  also. 

Before  we  propose  some  encryption  schemes  we  consider  tho 
following  arrangement  in  order  to  analyze  its  strengths  and  weaknesses. 


In  this  arrangement,  there  are  two  shift  registers  denoted  by 
S.  R.  1 and  S. R. 2 whose  outputs  constitute  the  j and  k inputs  to  a J-K 
flip-flop.  We  here  consider  S.R.  1 and  S.R.2  to  generate  maximum  length 
shift  register  sequences.  This  whole  arrangement  is  considered  as 
generating  a key  sequence  K which  it  can  do  once  initializing  vectors 
are  input  into  S. R.  1 and  S.R.2.  Clearly  changing  either  S. R.  1 or  S.R.2 
results  in  a new  key. 


Remark  1:  Notice  as  a consequence  of  0 that  two  outputs  of  A are 

needed  in  order  to  determine  either  j or  k.  Specifically,  an  output  of 


l 
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01  (first  0,  then  1)  specifies  J as  1,  00  implies  j ■ 0,  10  (first  1, 
then  0)  specifies  k as  1 and  11  implies  k ■ 0.  From  this  it  follows 
that  i set  of  s consecutive  j's  can  only  be  determined  by  a set  of  s ♦ 
1 outputs  of  A whose  first  s elements  are  0 and  that  the  set  of  s J's 
are  all  0.  Similarly,  a set  of  s consecutive  k's  can  only  be 
determined  by  a set  of  (s  + 1)  outputs  of  A whose  first  s elements  are 
1 and  the  set  of  s k's  must  be  all  0. 

First  we  discuss  the  strengths  of  this  scheme. 


1)  Even  if  the  periods  of  S. R.  1 and  S.  R.  2 are  of  moderate  sizes,  it  is 
possible  to  choose  them  so  that  the  period  of  A is  much  larger.  This 
is  expressed  precisely  in  the  following  theorem. 


Theorem:  If  S.  R.  1 has  period  p,  / 1,  5.K.  2 has  period  p2  * 1, 

g.  c.d.  (p,,  p2)  * 1,  and  P|  and  p2  are  odd,  then  A has  period  p,p2. 


Proof:  Denote  by  s the  period  of  A.  Note  that  s cannot  be  1.  After 

the  initialised  conditions  have  been  overcome,  the  output  of  A must 
repeat  at  p,p2  since  g.  c.  d.  (p,,  p2)  * 1.  Hence  s|  p,p2.  Since 
g. c. d.  (pj,  p2)  > 1,  both  P|  and  p2  divide  s so  that  s is  ptp2. 


The  periods  of  irreducible  polynomials  of  degree  12  through  20, 
where  the  degree  gives  the  stage  of  the  shift  register,  is  given  in 
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Table  I.  From  this  it  can  be  seen  that  there  are  (144)  x(630)  ways  to 
choose  a 12-stage  shift  register  of  period  4,095,  and  a 13-stage  shift 
register  of  period  8, 191.  These  periods  satisfy  the  conditions  of  the 
theorem  so  that  A would  have  period  greater  than  107.  Similarly  there 
are  27,594  x 24,000  choices  for  a 19-stage  shift  register  of  period 
524,287  and  a 20-stage  shift  register  of  period  1,048,575  where  A for 
this  situation  would  have  period  greater  than  5xlOn. 

2)  A is  very  easy  to  implement  since  both  shift  registers  and  J-K 
flip-flops  are  easy  to  implement. 

3)  System  A has  gccd  features  in  case  an  error  occurs  in  the 
transmission  of  K.  If  the  error  is  in  a bit  which  has  emerged  from  the 
flip-flop  then  it  is  a single  error  which  does  not  affect  any  other 
bits.  If  an  error  occurs  in  the  internal  state  of  the  flip-flop  then 
it  affects  all  bits  as  long  as  ( J , k)  is  either  (0,0)  or  (1,1). 

However,  the  error  is  corrected  as  soon  as  (j,k)  is  either  (0,1)  or 
(1,0)  so  that  we  either  have  a completely  incorrect  stream  which  could 
be  easily  detected  or  a completely  correct  stream. 

Remark  2:  Assume  S.R.  i (i  = 1,2)  has  r;  stages.  The  largest  sequence 
of  consecutive  digits  which  the  output  of  A can  determine  for  S.  R. 1 h/is 
(r(  -1)  consecutive  zeroes. 


Proof:  By  the  randomness  properties  of  maximum-length  shift  registers, 
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the  largest  sequence  of  zeroes  generated  by  S.R.l  or  S.R.2  has  length 

<r>  _1)  or  (r2  -1)  respectively  [3].  The  proof  of  Remark  2 then 
follows  from  Remark  1. 

The  following  is  the  most  serious  weakness.  From  the  previous 
discussion  of  shift  registers  we  know  that  a particular  r-stage  shift 
register  can  be  determined  by  knowing  2r  bits  of  clear  text;  r bits  for 
the  initializing  vectors  and  r bits  to  solve  the  r linear  equations.  By 
remark  2>  the  largest  sequence  of  consecutive  bits  for  S.R. i which  can 
be  determined  by  the  output  of  A has  length  (r,  -1).  in  the  following 
very  unlikely  situation  S.R.l  and  S.R.2  can  be  determined  by  2r,  ♦ 2rz 
bits  of  clear  text.  We  assume  the  values  of  r,  and  r2  are  known. 

Suppose  the  output  of  A has  (r,  -1)  zero  bits.  Then  S.R.l  has  a 
sequence  of  (r,  .-1)  zeroes  and  so  must  have  a one  at  each  end  of  this 
sequenze  yielding  r,  + 1 known  bits.  If  the  next  (or  preceeding)  (r2  - 
2)  bits  of  output  of  A are  zero,  then  we  have  a sequence  of  (r,  -2) 
bits  of  S.R.l  known  and  equal  to  zero.  The  sum  of  these  is  2r,  bits 
known  for  S.R.l.  This  could  be  followed  by  a similar  sequence  of  bits 
(with  ones  instead  of  zeroes)  which  determine  S.R.2.  Thus  there  is  a 
possible  situation  where  2r,  ♦ 2rz  bits  of  clear  text  of  arrangement  A 
could  break  the  key  to  both  S.R.l  and  S.R.2. 

Another  weakness  is  that  the  randomness  properties  of  the  maximum 
* e!'*th  shift  register  sequences  are  not  preserved  in  A.  Namely  if  a 
one  is  output  the  likelihood  is  less  than  one  half  that  the  next  output 


PAGE  9 


will  be  a one.  Similarly  for  a zero  output.  This  is  undesirable 
because  it  is  more  susceptible  to  a statistical  attack  than  a random 
sequence.  For  these  reasons  we  considei  a modification  of  arrangement 
A,  namely  arrangement  B. 


This  is  an  arrangement  A except  for  the  alternator  (denoted  by  A)  after 
the  flip-flop.  The  alternator  eliminates  alternate  bits. 

Remark  3.  If  S.R.  1 has  odd  period  p„  S.R.2  has  odd  period  p2,  and 
g.  c.d.  (p | , p2)  = 1,  then  arrangment  B has  period  p,p2. 

Proof:  By  the  theorem  the  output  of  the  flip-flop  has  period  p,p2 

which  is  an  odd  number.  Hence  the  sequence  formed  of  every  othe”  bit 
of  the  output  sequence  has  the  same  period  ptp2. 

Note  that  the  alternator  restores  some  of  the  randomness 
properties  of  the  maximum  length  shift  registers  since  two  is 
relatively  prime  to  p,p2  when  p,p2  is  odd. 


1' 
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Since  the  output  of  arrangement  B cannot  determine  any  digits  of 
either  S. R. 1 or  S. R. 2 by  Remark  1,  we  could  attempt  to  reconstruct  the 
key  by  guessing  the  (2r,  ♦ 2r2)/2  * (r,  + r2)  missing  alternate  bits. 
This  requires  l'"  guesses  and  so  represents  a great  deal  more 
computation  needed  to  reconstruct  the  key  than  for  arrangement  A. 
Arrangement  B has  the  disadvantage  that  it  emits  one  digit  for  every  2 

cycles  of  the  clock.  The  shift  register  must  operate  at  twice  the 
input  stream  rate. 

III.  Some  proposed  encryption  schemes. 

The  first  proposed  scheme  is  arrangement  C below. 


The  3 A's  again  denote  alternators. 

Assume  S.R.  i has  r;  stages.  Then  to  reconstruct  the  key  one  must 
guess  2(Z  *2  > alternate  bits  at  least  and  this  is  too  much  to 
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calculate  for  r , , r2,  r3,  and  r4  of  even  moderate  sizes.  Arrangement  C 
is  straightforward  to  simulate  on  a computer.  It  also  has  the 
disadvantage  that  it  does  not  run  in  real  time,  however  it  is  easy  to 
implement. 

The  second  proposed  scheme  D combines  all  the  unbreal'ai.’e 
properties  of  arrangement  C with  the  advantage  that  it  does  run  in  real 
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This  is  also  unbreakable  by  linear  calculation,  and  runs  in  real 
time.  The  final  device  with  boxes  labelled  from  1 until  4 is  a 
recycling  counter  and  transmits  the  contents  of  i + 1 (mod  4)  right 
after  the  conter*s  of  box  i is  transmitted.  If  the  output  of  S.R.  1 is 
an  odd  number  p,  and  the  p, ' s are  relatively  prime  in  pairs,  then  the 

& g 

output  of  D is  ,n  pj.  Since  four  is  relatively  prime  to  n p.  when  the 
Pi  are  odd  the  output  maintains  some  of  the  randomness  properties  of 

I 

the  original  shift  register  sequences.  It  is  an  open  question  whether 
the  output  is  a pseudo-random  sequence  in  the  sense  of  [31. 

The  following  is  one  possible  wf.y  to  choose  S.R.  i,  (i  * 1 8) 

in  arrangement  D.  From  Table  I we  see  that  we  can  choose  the  8 
polynomials  as  follows. 

I 

I 


C, 

S.R.  i 

C2 

r,  * stage 

c3 

period  » (2r*  -1) 

C* 

# of  choices 
for  S.  R.  i 

ci 

factorization  of  C, 

1 

5 

31 

6 

31 

2 

19 

524,  287 

27,  594 

1 

524,  287 

3 

7 

127 

18 

127 

4 

17 

131,071 

7,  710 

131,071 
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5 

9 

511 

48 

7x73 

6 

16 

65,  535 

2,048 

3 5 17  257 

7 

11 

2,047 

176 

23x89 

• 

8 
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8, 191 

630 

8,  191 

i 

Note  from  C5  that  the  periods  of  the  eight  shift  registers  are  odd  and 

► 

relatively  prime  in  pairs  so  that  the  final  period  is  their  product 
which  is  greater  than  102*.  The  number  of  different  choices  of  these 
periods  for  the  eight  shift  registers  is  given  by  the  product  of  the 
numbers  in  column  C*  which  is  greater  than  two  times  lO20.  This  is  a 
number  so  large  that  even  if  a precise  circuit  ani  all  the  keys  are 
given  to  an  unauthorized  person  there  is  no  possibility  of  successfully 
breaking  a message  by  simply  trying  all  the  keys.  Note  that  Is  is 
necessary  to  store  less  than  40,  000  polynomials  to  obtain  these  more 
than  lO20  choices. 

Table  I below  is  given  to  illustrate  the  large  number  of 
irreducible  polynomials  vhich  are  available  to  generate  maximal  length 
shift  sequences  and  where  to  find  some  of  them. 

■ 

> 


A gives  the  degree  of  the  polynomial  - stage  of  shift  register 
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B » period  of  & maximal  length  shift  register  of  degree  A. 

C » number  of  irreducible  polynomials  of  degree  A and  period  B. 
This  is  given  by  the  formula^  (2*  -1)  /A  where  -e.  is  the  Euler^ 
function  [3]. 

D * P means  all  C polynomials  of  degree  A and  period  B can  be 
found  from  the  tables  in  the  back  of  Peterson  and  Weldon  16]. 

E * factorization  of  B [computed  on  Macsyma  [4]]. 

Table  I 


A 

B 

C 

D 

E 

j 

5 

31 

6 

P 

prime 

6 

63 

! 6 

P 

32-7 

1 

i 

7 

127 

18 

P 

prime 

8 

i 

255 

16 

P 

3-5*17 

9 

511 

1 

48 

P 

i 

7*73 

t 


10 

1023 

60 

? 

3 c '.1*31 

11 

2047 

176 

P 

23*89 

12 

4,  09S 

144 

P 

32'5*7»13 

13 

8, 191 

630 

P 

prise 

14 

16, 383 

756 

P 

3r43°127 

15 

32,  767 

1,800 

P 

7*31*151 

16 

65,  535 

2,048 

P 

3 5 *17' 257 

17 

131,071 

7,710 

prise 

18 

262, 143 

7,776 

33' 7 *19*73 

19 

524,  287 

27,  594 

priae 

20 

1,  048,  575 


24,  000 

L 

3*52«  11'  31* 

We  can  see  from  Table  I that  there  is  t very  large  nuaber  of 
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I 

keys  of  relatively  prime  lengths  available.  These  yield  an  output 
of  period  so  long  that  it  is  difficult  to  break.  Just  this  short 
table  is  enormously  rich  in  keys  and  periods  and  yet  a scheme 
using  them  has  about  100  components. 

Another  variation  on  these  encycling  schemes  would  be  to  use 
an  n-counter,  which  is  a set  of  interconnected  J-K  flip-flops, 
instead  of  a shift  register.  The  mathematical  theory  of  these  n- 
counters  is  presently  being  developed  ([1]  and  [7]).  The 
algebraic  formulas  for  determining  the  output  sequence  is  given  in 
[7,  p.  9]  There  are  both  linear  and  non-linear  n-counters  and  the 
non-linear  ones  would  be  more  difficult  to  determine  than  a linear 
shift  register.  Using  n-counters  rather  than  shift  registers 
would  make  the  proposed  schemes  even  more  resistant  to  statisitcal 
attatk.  However,  since  the  mathematical  theory  is  so  new,  how  to 
choose  an  n-counter  with  a very  large  period  is  still  an  open 
question. 
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IV.  Conclusion 

In  conclusion,  we  havj  proposed  some  stream  enciphering 
schemes  which  use  standard  components  and  are  easy  to  implement. 
These  schemes  appear  to  be  difficult  to  break  and  we  have  made 
estimates  in  some  instances  of  how  difficult  this  is.  These 
estimates  have  shown  that  these  schemes  require  more  computations 
than  can  economically  be  performed.  We  believe  that  these  schemes 
would  perform  very  well  as  data  encryption  schemes  for  computer 
confidentiality. 
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